Module 12: Governance / assurance functions and the role of the CRO

Question 1

A good CRO should improve the effectiveness of an organisation’s risk management function by (3)

Answer 1

• filling in any gaps in the skills, knowledge and/or experience in a management team
• providing additional resource for a risk management function
• being prepared to escalate issues directly to the Board without fear or prejudice to their own job security or remuneration.

Question 2

Explain how a CRO might be positioned within an organisation structure

Answer 2

Typically the CRO will either sit on the Board or will report to the Board through the CEO or CFO.

It is particularly important that the relationships between the CRO and other officers are unambiguous.

A CRO reporting to the CFO or CEO may mean conflicts of interest inhibit communication to the Board.

Question 3

Discuss the degree to which the Board might delegate some of its responsibilities for risk management and outline how that might best be achieved

Answer 3

It is common for Boards to delegate risk management to a risk subcommittee. This subcommittee will take responsibility for setting risk management strategy and policies and monitoring.

It should be independent from the day-to-day business and those appointed to it should be suitably qualified.

The accountabilities, responsibilities and relationships between the Board, risk subcommittee, CRO and line management should be clearly defined and distinct. While the Board may delegate some responsibilities to a subcommittee, the Board retains overall accountability for risk management.

In the financial sector, such delegation should be to a risk subcommittee, rather than the audit subcommittee.

Question 4

Outline the key responsibilities of the CRO

Answer 4

• providing overall leadership and direction for ERM
• establishing and integrating an ERM framework across the company
• developing risk policies / minimum standards and monitoring adherence
• developing risk models and data systems
• effective reporting (internal and external) on risk exposures (current and future / emerging)
• allocating capital to business activities based on risk-adjusted returns
• managing optimising the risk portfolio
• safeguarding the company’s financial and reputational assets
• ensuring compliance with regulatory requirements.

Question 5

6 key skills required of a CRO

Answer 5

1. LEADERSHIP
   to develop the ERM vision and recruit / retain a risk management team
2. COMMUNICATION SKILLS
   to influence and persuade the business about ERM
3. STEWARDSHIP
   the ability to act as a guardian of the organisation’s assets
4. TECHNICAL COMPETENCE
   needed to manage financial and operational risks
5. CONSULTING SKILLS
   needed to influence and educate the Board and implement policy
6. PROJECT AND CHANGE MANAGEMENT

Question 6

Outline what a CRO will need to establish upon or soon after their appointment to the role

Answer 6

The CRO will need to establish whether:

• there is a clear understanding of the company’s risk tolerance
• management’s compensation is aligned, with prudent risk management
• there are any gaps in the skills, capability and experience of the team
• each part of the insurer’s business increases its overall value
• risk management is linked into capital management, pricing and reserving processes
• the quality and extent of the information given to stakeholders enables them to assess the financial condition of the insurer
• the governance structures are robust
• the risk management operating model is appropriate

The CRO will need:

• to establish a close working relationship with the CFO - since they each have a role to play to make earnings more predictable and less likely to reduce in future
• authority within the organisation
• to understand the insurer’s key stakeholders and drivers of performance

Question 7

CRF abbreviation

Answer 7

Central risk function

Question 8

The role of the CRF should include (7)

Answer 8

• advise the Board on risk
• guide line managers on identification and management of risks, and suggest risk responses
• act as a central focus point for staff to report new and enhanced risks
• assess the overall risks being run by the business
• make comparisons of the overall risks being run by the business with its risk appetite
• monitor progress on risk management
• pull the whole picture together.

Question 9

3 lines of defence

Answer 9

1st: line management staff in the business units
2nd: the CRO, risk management team and the compliance team
3rd: the Board and audit function

Question 10

The relationship between the first two lines of defence may be characterised as one of (3) models:

Answer 10

• offence vs defence
• policy and policing
• partnership

Question 11

Outline the offence vs defence model

Answer 11

The first two lines are set up in opposition to each other.

• business units focus on maximising income and
• risk management focuses on minimising losses.

Question 12

Key disadvantage of the offence vs defence model

Answer 12

The relationship is potentially destructive and damaging to the organisation as business units and the risk management function have opposing objectives (and incentives).

Question 13

Outline the policy and policing model

Answer 13

Business units operate within rules, which are set by the risk management function and policed by the risk management, audit and compliance functions.

Question 14

Key disadvantages of the policy and policing model

Answer 14

• policies may become out of date as the risk management function is not in touch with day-to-day operations.
• audit and compliance reviews do not occur continuously, so may fail to identify problems.
• there may be friction between line management and risk management as each fails to understand each other’s viewpoint fully.
• Line management may have little incentive to report problems, policy violations and issues where it is uncertain whether a violation has occurred. This issue is mitigated somewhat by arguments about “the greater good” or if incentives are linked to policy compliance and reporting violations.

Question 15

Outline the partnership model

Answer 15

Risk management staff are integrated into the business units and the two functions share some measure of performance.

Under this approach:

• Business units and risk management staff work together in a client-consultant type relationship to manage risk.
• Business units must recognise the benefit to long-term performance of a risk management function.
• Risk management staff must recognise the importance of their role as consultants, ie meeting the needs of the business units (the client).

Question 16

Key disadvantage of the partnership model

Answer 16

• Independence may suffer in this structure - it is hard for risk management staff who are integrated into business units to have a corporate oversight role.

Question 17

Describe how a mix of organisational structures might work in a large insurer

Answer 17

In a large insurer (or indeed any large businesses) the risk management function may be split between a central team and units embedded in each business unit.

In this situation, it is important to ensure that a “silo” mentality does not develop - a matrix reporting framework may help here.

Question 18

4 Key challenges in managing the relationship between business units and risk management staff

Answer 18

• conflict and conflict resolution
• management of risk management staff within business units
• aligning incentives
• measuring non-financial (e.g. operational) risks

Question 19

Outline the nature of the challenges:

conflict and conflict resolution

Answer 19

Conflict arises as a result of parties perceiving risk differently - does risk mean an “opportunity for profit” or an “opportunity for loss”?

Business units often want to increase volumes and may argue for pricing based on marginal costs, but the finance department want to grow revenue and control risk and argue for full-cost pricing.

Question 20

Outline the nature of challenges:

management of risk management staff within business units

Answer 20

• Risk management staff embedded within business units may not be trusted by business unit staff and may feel stuck between two opposing sides.
• it may be best if the risk management staff report to the business unit head and have a “dotted line” link to the CRO.
• the CRO should have input into the performance review of the risk management staff embedded in business units.

Question 21

Outline the nature of challenges:

aligning incentives

Answer 21

• Aligning incentives for business unit and risk management staff can reduce conflict between them, although in practice the design of suitable performance measurement and incentive systems may be difficult.

Question 22

Outline the nature of challenges:

measuring operational risks

Answer 22

• Operational risks can be difficult to assess and take into account in performance measurement systems.
• It is particularly important to ensure a common taxonomy around operational risk management to minimise the risk of confusion.

Question 23

List 5 key skills required within a risk management function

Answer 23

1. project management skills
2. change management skills
3. relationship management skills
4. technical expertise
5. implementation skills

Question 24

Outline 6 (risk-focused) questions management should ask themselves when developing their unit(s) plans and strategies

Answer 24

Management should address questions such as:

1. What risks may prevent us from achieving our objectives?
2. How do we assess and monitor these risks?
3. How can we mitigate or transfer these risks?
4. What level of risk-adjusted performance can we expect?
5. What risk limits / tolerances should be adopted?
6. Who will measure and monitor the risks involved?

Question 25

Outline how management might address the risk that assumptions about the business are not borne out in practice

Answer 25

The risk of assumptions not being borne out in practice might be addressed by:

• setting trigger points for each assumption - levels above or below the assumed level which will trigger a specific action or plan.
• setting up a specific risk committee for new product and business development, particularly when expanding into new / foreign markets.

Question 26

State a key risk for an insurance company arising from not pricing accurately

Answer 26

If insurance companies do not price risk accurately they are likely to be subject to selection.

Question 27

Name a business and financial reporting method that should include risk assessment

Answer 27

The balanced scorecard approach integrates business and financial reporting.

A scorecard usually assesses 4 main areas:

• finance
• key stakeholders
• growth and learning
• internal business processes.

Risk management should be incorporated into the scorecard.

Question 28

Outline best practice for remuneration systems in financial organisations

Answer 28

The link between executive compensation and risk management should be disclosed, including salaries, incentive-based compensation and stock options.

Compensation arrangements should not encourage excessive or inappropriate risk-taking.

Where appropriate / practical, clawback provisions should be implemented to recoup incentive-based compensation if risk-taking, with hindsight, was deemed excessive.

Question 29

Assurance systems

Answer 29

Processes and structures designed to give the Board of Directors confidence that the ERM framework is effective.

Question 30

Outline the role of Chief Risk Officer

Answer 30

The Board’s support for the CRO is critical to the success of ERM.

The CRO:

• often reports to the CEO or CFO
• — associated conflicts can be reduced if the CRO also has a dotted reporting line to the Board (or risk committee), which becomes a solid line under extreme circumstances
• ideally, the CRO should be a Board member and lead the risk subcommittee.

The CRO heads up the Risk Management Function (RMF) / Central Risk Function (CRF) and coordinates the various risk management divisions of the company.

The CRO is accountable to the Board for developing, implementing and maintaining an ERM strategy.

Question 31

In order to create value and align interest, it is important for risk management to be integrated into business activities such as (5)

Answer 31

• business strategy development
• new product development
• pricing
• business performance measurement
• risk and incentive compensation / remuneration

Question 32

The way in which a company chooses to structure the relationship between its RMF / CRF and the rest of the business will vary considerably according to (4)

Answer 32

• existing governance structures
• size and nature of the business
• risks faced by the business
• autonomy / accountability of the business units in the current structure

Question 33

In addition to the Board of Directors and the RMF / CRF, the stakeholders that have a monitoring role in relation to risk management include (3)

Answer 33

THE COMPLIANCE FUNCTION, e.g.

• – managers should document compliance with relevant legislation and rules
• – risks of non-compliance should be identified, and a plan to achieve full compliance drawn up
• – regulators should be informed promptly of non-compliance

THE INTERNAL AUDIT FUNCTION, e.g.

• – security of systems to prevent fraud
• – compliance with laws, regulations and internal governance codes
• – key spreadsheets / systems

EXTERNAL AUDIT